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1. INTRODUCTION 

Cloud computing emerges as the innovation which reduces the management effort for organization 
and allows them to focus towards their core functionalities. As per the study of Gartner, cloud computing is 
among the top ten innovations in the field of computing [1]. Cloud computing provides the computing 
services, information and memory space at a very reasonable cost. This innovation of computing has many 
advantages such as business innovation, economy of scale, low administrative overhead, low operation and 
maintenance cost, high quality services etc. over traditional owned private data centers. Thus Cloud 
computing appear to be one of the best option for a large number of IT organizations. As per one survey 91% 
organization in Europe and US accept the fact that cost effectiveness is the main reason to migrate the 
business to cloud [2]. But it is a proven fact that every coin has two faces i.e. it also has challenges. 
Generalization of cloud computing make more enterprises, person to put a large amount of sensitive 
information over cloud. Thus the impact of security issues will be large [3, 4]. A survey regarding cloud 
services made by IDC highlights the fact that the security is one of the biggest threats in the adoption of 
Cloud as shown in the Figure 1 [5]. 

Few well known security incidences occurred in past were as in 2009, the PayPal a payment tool 
encountered a network broken accident as a consequence of which millions of machines could not sold 
products for an hour on a global scale [6]. In 2011, the packet switched network of Sony was breached by the 
hacker which resulted in compromise of personal information of 70 million users [7]. In 2013, the window 
Azure cloud encountered a global failure caused by the exchange of deployment by virtue of manual 
operation [8]. All these above past incidences are just because of improper assessment of threats vulnerability 
and their impact over the system. 

Majority of above mentioned incidents were at application level. SaaS model is more risk prone as 
compare to PaaS and IaaS due to the existence of inherited risk of these models. This may act as driving 
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force to understand the challenges in SaaS model. Our focus is to study the security risk at different level 
such as application, transmission and storage. The purpose of the review is to identify different type of 
existing vulnerabilities exploited by malicious attacker to analyses the impact over the system. In order to 
understand the topic, research paper is break up into five sections. Section 2 discuss about cloud architecture 
especially for SaaS model, section 3 discuss about security in cloud architecture. Section 4 give brief 
literature review, section 5 proposed a mapping between vulnerability, attacks and threats and final section 6 
consists of purpose and conclusion about the research. 
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Figure 1. Impact of security aspect for cloud 


2. CLOUD ARCHITECTURE 

Cloud Architecture consist of components loosely coupled to each other. These components are 
broadly categorized in two major components Front End and Back End connected via internet. Front End 
refers to client part (e.g. web browser, mobile app etc.) and Back End refers to cloud itself. Cloud Provider 
usually provides three basis levels of services such as IaaS, PaaS and SaaS [9].As per Cloud Security 
Alliance (CSA) stack model; SaaS inherit all the hidden challenges of PaaS as well as IaaS [10]. Cloud 
Architecture Skelton for SaaS provider is illustrated as in Figure 2. 
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Figure 2. Cloud architecture 


Figure 2 represent that SaaS provider consist of two main components one is enterprise service and 
second one is supportive service. Enterprise services are those ready services that directly serve the clients 
while supportive are those one who plays a significant role in providing security and maintains to end 
services. Supportive services includes inheritance of Permission, discretionary access control, user based 
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authorization, auditing of system events and administrative privilege. Inheritance of permission means that 
when user creates group then it inherits all the permission rights of its parent group. Discretionary access 
control reveals the decision of resource owner how it can be shared. It is a type of access control defined by 
Trusted Computer System Evaluation Criteria. It is helpful to restrict the access to object based on identity, 
subject and group. User based access control is depend upon role based access control model. This model 
assigned the roles to user and based on roles access privilege to users is assigned. Auditing of system event is 
one of the most important steps to ensure the reliability and performance. Administrative Privilege is again 
related to right to administrative access for protected resources. In the end these SaaS service provider may 
be supported via bottom providers which also bring many hidden challenges. 


3. SECURITY IN CLOUD ARCHITECTURE 

In Cloud Architecture, there are two main actors involved in functioning of cloud. They are cloud 
provider and cloud users. Thus it is required to define the boundaries of responsibilities for security in cloud 
provider and user. Cloud Security Alliance (CSA) stack model defines the boundaries of responsibilities 
between provider and user for specific service model [10]. Cloud provider has the maximum responsibilities 
for SaaS while least for IaaS. It defined security level up to which cloud provider is responsible to manage 
the concerns. 

From all the above description it was cleared that both the actors are responsible to manage and 
control various security issues. Although the security boundaries are defined still cloud security is one of the 
nightmares to handle. Occurrence of all the past security incidences was due to existence of different 
vulnerabilities in cloud system. These incidences may be easily avoidable with the help of an effective 
approach to identify the vulnerabilities and assess their impact during vulnerability life cycle. This 
information may be stored and utilize for timely generation of solution patches or to pre inform the cloud 
user to take some precaution to avoid the exploitation. In the era of cloud security solution, early detection of 
vulnerabilities and threats is one of the most demanding research topics for current researcher. Currently 
huge numbers of researches are going on for this topic. But since cloud computing comprises varieties of 
assets vulnerable to different threat. Hence require serious attention from current researcher of cloud security. 


4. LITERATURE REVIEW 

This review section contains the views of different authors in existing security issues in cloud 
architecture: In 2009 Kandukuri, Paturi and Rakshit discussed to include more security management 
commitment in documentation of Service Level Agreement (SLA).The purpose of this document is to 
identify & define customer need, provide a framework for better understanding, simplify complex issues, 
reduce the conflicts, encourage dialog in disputes, and avoid unrealistic expectation. This document 
comprises of service definition, performance management, problem management, customer duties & 
responsibilities, warranties & remedies, security, disaster recovery & business continuity and termination 
polices. This paper highlighted the past SLA issues regarding standard waivers scheme that may not satisfy 
the customer for loses. Thus it is necessary to issues the waiver as per the business loss and also include 
various security commitment from cloud provider such as privilege user access, regulatory compliance, data 
location, data segregation, investigate support, recovery and long term viabilities. It may be viewed as one of 
the important step to increase the trust of user over cloud provider [11]. 

In 2010 Cusumano conducted research to highlight threats affect security requirement such as 
confidentially, integrity and availability known as CIA parameter. During this research, security threats are 
classified as account control, malicious internal staff, multi-tenant problem, and data control and safety 
management. Account control is a problem related to service and identity hijacking. Malicious internal staff 
is one the biggest problem due to existing culprit within the system having access to valuable and sensitive 
resource. This culprit or malicious staff may not be easily detectable via Intrusion Detection System (IDS) or 
firewall. Multi-tenant problem are the problems related to effectiveness or robustness of methodologies used 
these days for isolation purpose during sharing. Data control are problem related data privacy or loss. Safety 
management is about the effectiveness of prevention mechanism [12]. In same year, Dimitrios Zissis 
&Lekkas also highlighted same sort of issues such as account control, data control, multi tenancy issues, 
malicious internal staff and management console as discussed by Cusumano with one more fold towards the 
suggestion of its solution. Author proposed a solution using the concept Single Sign on (SSO), LDAP to 
ensure the effective authentication, integrity, confidentially needed for data and its communication [13].In 
same year, Prasad & Ben proposed a quantitative risk assessment and impact analysis framework. This 
framework defined risk as a combination of probability of occurrence of security threats and its severe impact 
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over cloud. This may be viewed as a road map to assess the robustness of different vendors and their 
approach [14]. 

In 2011 Feng compared security aspect and their impact over the cloud. In this research, it was 
concluded that security and privacy of data is among the biggest issues to tackle. Feng also pointed out the 
absence of effective security rank evaluation and verification system. It was noticed that majority of current 
on-going research focused on identification threats and suggesting their counter measure techniques without 
making any rank wise severity comment for a particular threats over the cloud architecture [15].In same year, 
Subashini & Kavita discussed internal security aspect related to web browser and web service interface API 
for accessing different services. This paper highlighted the presence of weak authentication, authorization 
mechanism, week data isolation, segregation and also discussed the multi tenancy problem which makes a 
significant impact on three very important security parameters confidentially, integrity and availability [16]. 

In 2012, Joshi and Vijayan carried out their research for zombie attack prevention. In this paper, 
Cloud Trace Back (CTB) model was suggested as a prevention technique. This model based on deterministic 
packet marking algorithm. It uses cloud protector consist of virtual firewall to verify the request authenticity 
of genuine user with help of white and black IP address list [17]. In same year Duan, Chen, Sanchez, Dong 
also carried out their research in field of zombie attack. This paper introduced a SPOT approach to detect the 
compromise virtual machine by monitoring outgoing message. It is based on a powerful statistic tool 
Sequential Probability Ratio Test (SPRT). This SPOT approach depend upon two important terminologies 
count threshold and percentage threshold to detect the malicious spam message from internal machine [18]. 

In 2013, Keiko, David, Eduardo conducted their research on threats including account control, 
malicious internal staff, multi-tenant problem, data control and safety management. The purpose was to 
highlight lacking in existing system. In the end counter measures are also discussed to reduce or overcome 
the effect of these threats [19].In same year, Chirag, Dhiren, Bhavesh, Avi, Muttukrishnan took one further 
step in analysing vulnerabilities, attacks and their corresponding threats. The purpose was to generate a 
linking between the vulnerabilities, attacks and threats [20]. In same year Jyoti, Ritu, Neha, Monika carried 
out their research on phishing attack. This paper thrown light on various ways means to plan a phishing 
attack such as sending bulk mails or by creating a web page similar to well-known websites etc. In the end 
introduced anti- phishing techniques such as server based technique with help of brand monitoring, behaviour 
detection, security incidences& client based technique including email analysis, black list, similarity of 
layout etc. [21]. 

In 2015, Torkura, Cheng, Meinel conducted their research in development proactive vulnerability 
assessment framework. Various scanners are deployed for early detection of these flaws in cloud architecture. 
In this paper, a quantitative risk assessment was conducted over open stack vulnerability life cycle and 
noticed different risk level due to prolonged patch release and inclusion duration. These risk level are black 
risk, grey risk and white risk. Existing scanners are working to mitigate white risk only with the help of open 
source vulnerability database (OSVDB) and National vulnerability database (NVD). This paper proposed a 
proactive framework for vulnerability assessment to mitigate the risk levels in grey and black level with help 
of including more dynamic sources such as Bug Tracking System (BTS), malicious signature repository and 
exploited database (EDB) [22]. 

In same year Masky, Young, Choe proposed Operationally Critical Threats Asset Vulnerability 
Evaluation (OCTAVE) as a novel risk identification framework for security issues. It was noticed that 
occurrence of various threats is due to improper identification and impact assessment of risk over cloud. This 
proposed framework performed the working in four phases consist of eight steps. First phase is about to 
develop a risk measurement criteria around qualitative parameter such as Reputation / Confidence, Financial 
Requirement, Productivity, Safety and Health, Fine and legal penalties with priority wise ranking. In phase 2 
all the information asset that are identified to be critical are profiled. This profiling includes the identification 
of security requirement of information asset and also identifies the container where it is stored, transported 
and processed. Phase 3 is about to identify the threats to information asset. In final phase identify the risk to 
the information asset. This risk may be viewed as combination of threats with their adverse impact over the 
system. Finally include the analysis and suggesting mitigation approach [23]. 

In 2016, Dang, Lei, Zhang, Shuai and Zhuang carried out their research on various security aspects 
in software as a service model. Depending upon the analysis, it was divided into three major components 
such as application, transmission and storage. This paper proposed two very important model Analytical 
model and Relational model. The purpose of these models was to enrich knowledge bank for well-known 
problem occurred in past and finally create a linking with its solution using relational model [24].In same 
year, Rakshita carried out their research in zombie attack detection and prevention. In this a framework was 
proposed to detect and prevent from Zombie attack. Framework works in two phases, phase consist of a light 
weight network intrusion detector was placed over cloud server to scan vulnerabilities, and attack to establish 
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a scenario attack graph and this graph was utilized to decide that whether network should be put under 
inspection or not. If yes then in phase 2 reconfiguration of virtual network have taken place [25]. 


4.1. Review Observation 

The said review stated security revolves around three important terms vulnerability, attack and 
threats. Volume of ongoing research is to fetch out attacks and their associated threats. But very limited 
number of studies focused to get the answers for what is the reason of these attacks. Early detection of 
vulnerabilities is one of the alternatives to avoid these attacks and threats. This also brings a great emphasis 
to take a strong correlation between different security anomalies identification and managing relation to 
security. The intended threats, vulnerabilities and attacks took the functionalities of SaaS services under 
malicious phase and get harm to services and software. Table 1 shown literature review summary. 


Table 1. Literature Review Summary 


S.No Author/Reference Year Research Topic Finding Limitation 
Define- ways to inelude more Not discuss about securit 
1 Kandukuri [11] 2009 Cloud security issues commitment in SLA from issues froin lasek end y 
cloud provider. ; 
Cusumano [12] 2010 Cloud computing and SaaS Classification of threat Not discuss about counter 
as new computing platform measure. 
Addressing cloud conni Classification of threats and Not discuss about the 
3 Dimitrios [13] 2010 ap Fiby ieaiies pane suggested their counter authenticity of counter 
y measures. measure. 
QUIRIC: A Quantitative oor 4 Question on Authenticity 
4 Prasad [14] 2010 impact and risk assessment alae a raat and Broad acceptance of 
framework for cloud security ` framework. 
; Comparison of threats and 2 p F 
5 Feng [15] 2011 Study on cloud computing pointed towards the absence of Require a discussion how 
security z to develop such system. 
rank evaluation system. 
A survey on security Classification of threats at Require more light on 
6 Subashini [16] 2011 problems in service delivery client side (internal threats existing client architecture 
models of cloud computing related to browser) to avoid these threats. 
Securing cloud computing Question on Authenticity 
7 Joshi [17] 2012 environment against DDoS E cme Mra and Broad acceptance of 
attacks. : model. 
8 Duan [18] 2013 sistas ase °Y Proposed a SPOT approach for ope ee 
messiees Zombie Attack Detection adel: 
‘Ad analysis ok security issues Discussed about vulnerability Require more extension 
9 Keiko [19] 2013 for Lian deomni si in existing system for early about vulnerability and its 
puting removal of threats. linking with threats. 


A survey on security issues 
10 Chirag [20] 2013 and solution at different 


Require suggestion to 


Proposed a linking between 
P 8 overcome these 


vulnerability and threats. 


layers of cloud computing vulnerabilities. 
ae ae Highlighted the ways to plan Question on authenticity 
11 Jyoti [21] 2013 Phishing S any phishing phishing attack and proposed and Broad acceptance of 
technique : case study Saar $ í 
anti-phishing technique. technique. 
A proposed framework for ii ; a 
12 Torkura [22] 2015 proactive vulnerability Vulnerability Assessment Question on authenticity 
j Framework and Broad acceptance. 
assessment in cloud 
A novel risk identification Proposed an OCTAVE Question on authenticity 
(Operationally Critically and Broad acceptance and 
13 Masky [23] 2015 framework for cloud pA EA 
: : Threats Assets Vulnerability limited to storage asset 
computing security ‘ 
Evaluation) approach only. 
Security analysis model, Proposed two models relational 
system architecture and model and analytical model to Question on authenticity 
14 Dang [24] 2916 relational model of cloud enrich security knowledge and Broad acceptance 
services bank. 


5. ESTABLISH A MAPPING BETWEEN VULNERABILITIES, ATTACKS AND THREATS 

The purpose of this section is to list out vulnerabilities, attacks and corresponding threats. Main 
focus of the listing is to fetch out a concrete mapping between vulnerability, attacks and threats. With the 
help of proposed mapping, main aim is to highlight the impact of vulnerabilities & attacks in different area of 
major concern. 
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5.1. Classification of Vulnerabilities 

Vulnerability is referred to be as flaws in existing system. These flaws may be exploiting by the 
different malicious attacker to harm the system. Since this model was recently introduced and new to 
computing world has many loop holes are as follows: 


5.1.1. Employee and Cloud User Unawareness 

Lack of awareness of employee and its users about system in IT industry continues to be nightmare 
for cloud computing. This loop holes can be exploit by attackers to plan zombie attack [18, 25] and phishing 
attack [21]. Reasons for the existence of these vulnerabilities are poor hiring strategy& background check up, 
lack of employee screening & security education impartment [10, 33]. 


5.1.2. Easy and Un-authorised Access 

Management interface are easily accessible over internet. Although the cryptography was used to 
prevent from unauthorized access but advancement in crypt analysis makes a strong encryption to weak 
encryption e.g. a cryptographic hole discovered in Amazon EC2 management interface by performing 
signature wrapping and cross site scripting (XSS) attacks, whereby interfaces used to manage cloud resource 
are hijacked. It allows creating, modifying and deleting machines images, change administrative password 
and setting [34].This may cause zombie attack [18, 25], phishing attack [21] and service injection attack [26 
to 28] etc. 


5.1.3. Lacking in Concept of Virtualization 

Virtualization is the base to share single resource among multiple tenants. In cloud architecture 
virtual machines comprises of application software and guest operating system running controlled via 
hypervisor in host operating system. Many times it was noticed that malicious internal staff got access over 
host operating system to compromise hypervisor to gain access of guest machine. For examples, a malformed 
code in Microsoft’s Hyper-V run by an authenticated user (internal employee) in one of the VM caused a 
Denial of Service, by compromising the Hypervisor, an attacker can gain control over VMs BLUEPILL [29], 
Sub Virt [30], and DKSM [31]. 


5.1.4. Lacking in Internet Protocol 
Flaw in authentication mechanism, validation techniques, week mutual authentication mechanism 
utilized by attackers to plan ARP spoofing, DNS poisoning and Man-in-the-middle-attack [20]. 


5.1.5. Web Browsers and In-Secure API 

Cloud services are accessible with help of web browser and API. But infection in web browser due 
to unwanted visits to malicious website and presence of insecure API due to weak access credential, poor 
authorization and input validation techniques [19] are vulnerable to malicious activities such Phishing attack 
[21], and Service Injection attack [26-28]. 


5.1.6. Data Storage Related Vulnerabilities 

Data of multiple tenants are stored at same location. Such storage may ask questions on robustness 
of segregation and isolation mechanism for data of multiple tenants which was stored under different 
jurisdictions or places. It also caused the problem of incomplete or insecure data deletion, transparency [19], 
and meta-data spoofing attack [20]. 


5.2. Classification of Attacks 
Attack may be defined as way of exploiting vulnerabilities to harm the system. Different types of 
attack are listed as: 


5.2.1. Zombie Attack 

An attacker compromise host to plan a Zombie attack [20]. These hosts are used by hacker to send 
large number of request for a virtual machine. This interrupts the expected behavior of cloud computing 
affecting their availability. It overloaded the cloud to serve large number of request, and then exhausted to 
cause Denial of Service (DoS) or Distributed Denial of Services (DDoS) [17]. This may be prevented via a 
better authentication, authorization and IDS/IPS to avoid the hacking of their system to avoid Zombie attack 
e.g. A denial of service attack against BitBucket.org, a code hosting site, caused an outage of over 19 hour of 
downtime during an apparent denial of service attack on the Amazon Cloud Infrastructure [32]. 
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5.2.2. Service Injection Attack 

Due to the facility of free to use instance of requested services and easily accessible management 
interface allows an adversary to plan or inject a malicious service or create a new virtual machine [20]. If 
attacker succeeds in doing so, then the valid request can be redirected to malicious services automatically. 
This would results in threats like customer data manipulation, account or service hijacking. This may be 
avoided by strong isolation or identification mechanism for virtual machine, or by implementing service 
integrity. 


5.2.3. Attack on Virtualization 

VM Escape. A malicious program running in virtual machine allows the attacker to directly interact 
with Hypervisor. This allows an attacker to gain access over host OS and then compromising guest OS 
controlled by host OS [20]. 


5.2.4. Man-in-the-middle Attack 

Man-in-the-middle attack follows chess analogy of either win or draw a game. It makes an 
independent connection with the victims and relay or alter the message between them. It helps an attacker 
gain access over sensitive information or may manipulate the customer data. It is due to flaws in internet 
protocol, weak password to gain access over a wireless network and weak mutual understandable 
authentication mechanism. [20]. 


5.2.5. ARP Spoofing 

Attacker sends a falsified ARP message to connect IP address with a malicious host. This is because 
ARP does not require proof of origin for source. This flaw may be utilized by the attacker to plan ARP 
spoofing attack to redirect a customer to a malicious host [20]. 


5.2.6. DNS Poisoning 

DNS servers provide a mapping between the domain names to specific IP address with the help its 
domain resolver cache. If cache consists of a corrupt domain name mapping would result in landing the 
customer to a malicious website. This is due to flaws in DNS software and source validation mechanism [20] 


5.2.7. Meta Data Spoofing Attack 

Presence of weak authentication, authorization mechanism, and malicious internal staff with 
outdated encryption technique allows an attacker to change or modify the information about the services 
stored in web service description language (WSDL) file at delivery time. It helps the attacker to gain access 
over various important application or sensitive information [20]. 


5.2.8. Phishing Attack 

An attacker may use the web services to manipulate the link and redirect the customer to false 
website to steal or fetch the sensitive information. There are number of way means used these days to plan a 
Phishing attack. This results in account or service hijacking and identity theft. Such an attack is known as 
Phishing Attack [20]. 


5.3. Classification of Threats 
Threats can be understand as final potential loss for the system. They can be listed as: 


5.3.1. Loss control over Resources 

In cloud architecture, organizations handed over their sensitive business application and information 
to third party vendor. As a matter of policy, cloud provider does not provide transparency about its 
management policies i.e. how data was processed, transferred and where it is stored for security reason. 
Hence results in organization loss control over its sensitive resources [24]. Thus organization may require 
being very careful while moving sensitive resource over cloud or should define clause for its special request 
for control in Service Level Agreement. 


5.3.2. Misuse of cloud computing resources 

Presence of malicious users, employees and easily accessible management interface leads to misuse 
the resource to plant attacks over cloud computing [24]. It should be avoid via implementing strong 
encryption, verification, background check up and authentication techniques. 
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5.3.3. Malicious Insiders 

With higher level of access, an employee should gain access to confidential data and services. In 
house activities are often bypassed by a firewall or Intrusion Detection System (IDS) assuming as legal 
activity. However, a trusted insider may be turn into adversary e.g. malicious insiders may access 
confidential data and gain control over the cloud services with no risk of detection [20]. Cloud provider 
should have a mechanism to scan the activities of their employee having higher level of access to read 
malicious action. 


5.3.4. Account or Service Hijacking or Identity Theft 

An account or service hijacking or identity theft can be defined as hacking of an account or service. 
It may be done via social engineering and or due to weak credentials. It allows performing malicious act such 
as access sensitive data manipulate data and redirect any transaction [10, 19, and 20].This brings the attention 
towards phishing attack, fraud, exploitation of software vulnerabilities, reused credentials [21]. 


5.3.5. Data Scavenging 

Data for multiple users are stored at same location in cloud. It is possible data for multiple users 
may be stored at same disk space or multiple copies of data were created to ensure high reliability and 
increase trust over cloud. This would create problem for request of complete data deletion and open a space 
for malicious actors to steal sensitive data or information of a particular organization [19]. It is recommended 
for cloud user to mention a clause in Service Level Agreement, about the sensitivity of data or information to 
ensure appropriate security and privacy. 


5.3.6. Data Loss or Leakage 

Data in cloud is shared among multiple organizations. Hence may be in danger of his leakage or 
loss. It was leaked when transferred over internet (because of attack such as man-in-the-middle attack, ARP 
Spoofing), processed over internet (because of weak authentication and authorization mechanism) and stored 
over internet (because of poor isolation, incomplete deletion, disaster recovery provided by unreliable party, 
weak encryption algorithm). It should require timely audit of system performance, validation and 
testing [19, 20]. 


5.3.7. Denial of Service 

Denial of service makes a significant impact on service availability metrics. It was caused by 
receiving large number of request from malicious host. Such type of cause is done via Zombie 
attack [19, 20]. 


5.3.8. Customer Data Manipulation 

User attack web applications by manipulating data sent from application component to the server’s 
application with help of SQL Injection, insecure direct object references and cross site scripting [19, 26-28]. 
Figure 3 shown mapping between vulnerability, attack and threats. 


6. PURPOSE AND CONCLUSION 
6.1. Purpose 

The main focus was to understand the security domain in cloud architecture. Security is one of the 
biggest threats in cloud computing. The intension was to highlight three important pillars vulnerabilities, 
attacks, and threats and discuss about the strong correlation between them. Motive of study was to bring the 
intension of researcher to cure the loop holes as early as possible in cloud architecture. 


6.2. Conclusion 

This paper has discussed different vulnerabilities with corresponding attacks and threats. In the end 
strong correlation ship between vulnerabilities, attacks and threats was noticed. But it was also noticed that 
volume of researches focused on suggesting counter measures for different threats. As a conclusion this paper 
would like to bring the attention of all the academician and researchers to work on early detection of 
vulnerabilities in existing system to cure it from malicious attack and their corresponding impact threats. 
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Figure 3. Mapping between vulnerability, attack and threats 
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